lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Ll6oX-0004wu-Ol@titan.mandriva.com>
Date: Sat, 21 Mar 2009 20:25:01 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:077 ] pam


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:077
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : pam
 Date    : March 21, 2009
 Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 A security vulnerability has been identified and fixed in pam:
 
 Integer signedness error in the _pam_StrTok function in
 libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a
 configuration file contains non-ASCII usernames, might allow remote
 attackers to cause a denial of service, and might allow remote
 authenticated users to obtain login access with a different user's
 non-ASCII username, via a login attempt (CVE-2009-0887).
 
 The updated packages have been patched to prevent this.
 
 Additionally some development packages were missing that are required
 to build pam for CS4, these are also provided with this update.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0887
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 210e7f58292fc3c903b22538c2be7295  2008.0/i586/libpam0-0.99.8.1-6.1mdv2008.0.i586.rpm
 599ae39aa412bbd293b12c54c5c8105b  2008.0/i586/libpam-devel-0.99.8.1-6.1mdv2008.0.i586.rpm
 141f673610f93f1b9f26b8cb94ea38dc  2008.0/i586/pam-0.99.8.1-6.1mdv2008.0.i586.rpm
 5aea57085d3baba905a05c5d1f29d29e  2008.0/i586/pam-doc-0.99.8.1-6.1mdv2008.0.i586.rpm 
 1d9551b97e8e4eb5af65ef8c251b5f4c  2008.0/SRPMS/pam-0.99.8.1-6.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 bc55a9ea37c3541fdf656238b46aa8c5  2008.0/x86_64/lib64pam0-0.99.8.1-6.1mdv2008.0.x86_64.rpm
 883efd2432eaddbc6a0421ea847c54d6  2008.0/x86_64/lib64pam-devel-0.99.8.1-6.1mdv2008.0.x86_64.rpm
 c0947a0c7442b415a4b39423c98a1e6f  2008.0/x86_64/pam-0.99.8.1-6.1mdv2008.0.x86_64.rpm
 7c3ec5bfc9c9ca51959345d62158013c  2008.0/x86_64/pam-doc-0.99.8.1-6.1mdv2008.0.x86_64.rpm 
 1d9551b97e8e4eb5af65ef8c251b5f4c  2008.0/SRPMS/pam-0.99.8.1-6.1mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 2c9d674a712fc6b662ce99c9ab498075  2008.1/i586/libpam0-0.99.8.1-8.1mdv2008.1.i586.rpm
 104fc3313ba8ed211850c62effe26a2b  2008.1/i586/libpam-devel-0.99.8.1-8.1mdv2008.1.i586.rpm
 82037a9570821f47da2f95a214c18f1a  2008.1/i586/pam-0.99.8.1-8.1mdv2008.1.i586.rpm
 c96cf5d1f2311bcea54601a15e64eed2  2008.1/i586/pam-doc-0.99.8.1-8.1mdv2008.1.i586.rpm 
 d27ad78a0e3691c454f11548e5135504  2008.1/SRPMS/pam-0.99.8.1-8.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 b9cf6e7e251ad97d161bea4b88fa58b5  2008.1/x86_64/lib64pam0-0.99.8.1-8.1mdv2008.1.x86_64.rpm
 9e0818c288d1cf464e410d127bb69626  2008.1/x86_64/lib64pam-devel-0.99.8.1-8.1mdv2008.1.x86_64.rpm
 b371e10cdd5a1e2c2a142838eccc7f34  2008.1/x86_64/pam-0.99.8.1-8.1mdv2008.1.x86_64.rpm
 fcdffc3dfd820cdad31dbe7696126e45  2008.1/x86_64/pam-doc-0.99.8.1-8.1mdv2008.1.x86_64.rpm 
 d27ad78a0e3691c454f11548e5135504  2008.1/SRPMS/pam-0.99.8.1-8.1mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 354f27c6c6fe417f0d408be7f983f9c5  2009.0/i586/libpam0-0.99.8.1-16.1mdv2009.0.i586.rpm
 18c14b61195c204d707847114d043ad6  2009.0/i586/libpam-devel-0.99.8.1-16.1mdv2009.0.i586.rpm
 9fa26fe7256872ac151e1007a3d0921c  2009.0/i586/pam-0.99.8.1-16.1mdv2009.0.i586.rpm
 601c69d37b980098cdb3e626401b758c  2009.0/i586/pam-doc-0.99.8.1-16.1mdv2009.0.i586.rpm 
 69fcb3b23d5c26616ab9741276b9f2a0  2009.0/SRPMS/pam-0.99.8.1-16.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 936142c771482dc517230e105a9fc897  2009.0/x86_64/lib64pam0-0.99.8.1-16.1mdv2009.0.x86_64.rpm
 af6bf7ba3b78ba4d1e53f819c02896cf  2009.0/x86_64/lib64pam-devel-0.99.8.1-16.1mdv2009.0.x86_64.rpm
 919e004be5df3d39de7126b4f71d524b  2009.0/x86_64/pam-0.99.8.1-16.1mdv2009.0.x86_64.rpm
 24f90b1d7c77b2451cbff0c094dfaba1  2009.0/x86_64/pam-doc-0.99.8.1-16.1mdv2009.0.x86_64.rpm 
 69fcb3b23d5c26616ab9741276b9f2a0  2009.0/SRPMS/pam-0.99.8.1-16.1mdv2009.0.src.rpm

 Corporate 3.0:
 bbccb95ef2d489cad5008aff0d477ad6  corporate/3.0/i586/libpam0-0.77-12.2.C30mdk.i586.rpm
 a0e07a330f09ec25341075217f38fef7  corporate/3.0/i586/libpam0-devel-0.77-12.2.C30mdk.i586.rpm
 2e3005d760e72a6222c7aa0ff3da4708  corporate/3.0/i586/pam-0.77-12.2.C30mdk.i586.rpm
 b7e31f39ccadadbb2f5444a00fff6497  corporate/3.0/i586/pam-doc-0.77-12.2.C30mdk.i586.rpm 
 293b1a6e0c32005069e5390bd6b0b3b8  corporate/3.0/SRPMS/pam-0.77-12.2.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 7bbb844351309190676f4fbe9ce62e70  corporate/3.0/x86_64/lib64pam0-0.77-12.2.C30mdk.x86_64.rpm
 25c16ee4d718a9e260c153c6983f5d2b  corporate/3.0/x86_64/lib64pam0-devel-0.77-12.2.C30mdk.x86_64.rpm
 249311fb9fd0c43506a11f1cce32c979  corporate/3.0/x86_64/pam-0.77-12.2.C30mdk.x86_64.rpm
 309ae91641c19729263eab22709cf52e  corporate/3.0/x86_64/pam-doc-0.77-12.2.C30mdk.x86_64.rpm 
 293b1a6e0c32005069e5390bd6b0b3b8  corporate/3.0/SRPMS/pam-0.77-12.2.C30mdk.src.rpm

 Corporate 4.0:
 020800834f4ce964fae630a85cf627c5  corporate/4.0/i586/cracklib-dicts-2.8.3-1.1.20060mlcs4.i586.rpm
 8b751aa75911ff9b169812cce188e307  corporate/4.0/i586/libcrack2-2.8.3-1.1.20060mlcs4.i586.rpm
 98e07f212a2b18fcc83407ee554262f7  corporate/4.0/i586/libcrack2-devel-2.8.3-1.1.20060mlcs4.i586.rpm
 f19159f721379636f53c4266036310ec  corporate/4.0/i586/libpam0-0.77-31.1.20060mlcs4.i586.rpm
 37cf1f3f4e2765a1ca9a5869430c0a1d  corporate/4.0/i586/libpam0-devel-0.77-31.1.20060mlcs4.i586.rpm
 1e068b619020a011addb397f962a8a4d  corporate/4.0/i586/libpwdb0-0.62-2.1.20060mlcs4.i586.rpm
 3507f0ae0f11686a4607e15cc069edc2  corporate/4.0/i586/libpwdb0-devel-0.62-2.1.20060mlcs4.i586.rpm
 f29b17d7aca88aa620866e19ef1b755f  corporate/4.0/i586/libpwdb0-static-devel-0.62-2.1.20060mlcs4.i586.rpm
 949a4fcfc69cd11c7c47de603a2100c1  corporate/4.0/i586/pam-0.77-31.1.20060mlcs4.i586.rpm
 4364562c4a910a98c3d9ef678ea5be73  corporate/4.0/i586/pam-doc-0.77-31.1.20060mlcs4.i586.rpm
 9ead568ec16bb8e44d4c1f7d2a365ede  corporate/4.0/i586/pwdb-conf-0.62-2.1.20060mlcs4.i586.rpm 
 8613c335b195ec91515c7023ddca8251  corporate/4.0/SRPMS/cracklib-2.8.3-1.1.20060mlcs4.src.rpm
 fa57a88a81dc3169ab8b68c1e75db1ac  corporate/4.0/SRPMS/pam-0.77-31.1.20060mlcs4.src.rpm
 56b00aefdde6512b79bc17d2a6004036  corporate/4.0/SRPMS/pwdb-0.62-2.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 5b809c44a34936ca88509749998ebcc2  corporate/4.0/x86_64/cracklib-dicts-2.8.3-1.1.20060mlcs4.x86_64.rpm
 8345ad73abbef63e19fc6c10d721a216  corporate/4.0/x86_64/lib64crack2-2.8.3-1.1.20060mlcs4.x86_64.rpm
 30f5aa853c8e0cc5a1e3da5e88da8862  corporate/4.0/x86_64/lib64crack2-devel-2.8.3-1.1.20060mlcs4.x86_64.rpm
 1f8e87d48ca798327134a45650fddc28  corporate/4.0/x86_64/lib64pam0-0.77-31.1.20060mlcs4.x86_64.rpm
 587942a0d0d8c45b100695ad6f02f734  corporate/4.0/x86_64/lib64pam0-devel-0.77-31.1.20060mlcs4.x86_64.rpm
 549e1b91bda1bd15705f4a2c39a16cd1  corporate/4.0/x86_64/lib64pwdb0-0.62-2.1.20060mlcs4.x86_64.rpm
 f2118437e903344719a3a17a133aaabd  corporate/4.0/x86_64/lib64pwdb0-devel-0.62-2.1.20060mlcs4.x86_64.rpm
 10fbc050e5ecab37e22eb0fad9d06040  corporate/4.0/x86_64/lib64pwdb0-static-devel-0.62-2.1.20060mlcs4.x86_64.rpm
 6844a774f0011d019262871788fc3198  corporate/4.0/x86_64/pam-0.77-31.1.20060mlcs4.x86_64.rpm
 f0a1d78b5d2d4009b91b8835a10896bf  corporate/4.0/x86_64/pam-doc-0.77-31.1.20060mlcs4.x86_64.rpm
 165f252bb3803896dbb144f43bbac8b2  corporate/4.0/x86_64/pwdb-conf-0.62-2.1.20060mlcs4.x86_64.rpm 
 8613c335b195ec91515c7023ddca8251  corporate/4.0/SRPMS/cracklib-2.8.3-1.1.20060mlcs4.src.rpm
 fa57a88a81dc3169ab8b68c1e75db1ac  corporate/4.0/SRPMS/pam-0.77-31.1.20060mlcs4.src.rpm
 56b00aefdde6512b79bc17d2a6004036  corporate/4.0/SRPMS/pwdb-0.62-2.1.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 b22d14cb9f2fa4616f2588f7d234ee35  mnf/2.0/i586/libpam0-0.77-12.2.C30mdk.i586.rpm
 e5d1a3942552398ce1ece9a0b43036fa  mnf/2.0/i586/libpam0-devel-0.77-12.2.C30mdk.i586.rpm
 d1ac0a9dff1944381e3699a1037e2936  mnf/2.0/i586/pam-0.77-12.2.C30mdk.i586.rpm
 9ac370aa7b2ac02038a7849e8bf27942  mnf/2.0/i586/pam-doc-0.77-12.2.C30mdk.i586.rpm 
 44899571f6a74e53c97d3bf1f5ebd859  mnf/2.0/SRPMS/pam-0.77-12.2.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJxRFhmqjQ0CJFipgRAlJkAJ40e3eBCOtkxCmUZ1plFMlZEWk/lgCeKpCG
0nfvCvq+dhD8O8v0t1Yg1dc=
=HveO
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ